There are more interesting WAF bypasses that were discovered during the 1337up0522 live hacking event. This time, by terjanq, who came back from a CTF retirement for a few hours and smashed the hardest web challenges on SEKAI CTF that I’ve played with JustCatTheFish....
Articles by Issue
RFC-induced SSRF
Sometimes, we see an absolute URI in the first request line. I saw this trick being used a few times. For example, when exploiting request smuggling. It then sends the request to your server and not the one from the Host header. I never thought about why it works and...
The hardest CTF task I’ve ever done
Last week, I published a video about a crazy task from a CTF that we’ve solved. We being me and JustCatTheFish team with which I play as a guest. Tasks on a real, ranked CTF were really hard but that just makes solving one more satisfying. This challenge involved two...
Setup for testing authorization bugs
Authorization testing is one of the security classes I rather dislike because it involves doing the same thing many times, hoping that one time it will work. Often, it’s very time-consuming. However, over the years, I became more effective with it. Today, I will share...
Prototype-related bugs
Christoffer Jerkeby wrote an article about prototype-related bugs. It has the term “prototype poisoning” in the title and while reading the article, I thought it’s used interchangeably with “prototype pollution” but turns out they are different things. To read about...
Bitbucket pre auth RCE
There’s a pre-auth RCE for Bitbucket which, as my Twitter feed claimed, is actively exploited in the wild. It was discovered by Assetnote which means the blogpost not only contains what was the bug but also how they found it and why it works....
CodeQL learning path
CodeQL is a code scanner that sits somewhere between static analysis - where a scanner just analyses the code as a text - and dynamic analysis - where the scanner actually executes the application and sends payloads. CodeQL understands the code and the flow of the...
Default credentials cheat sheet with 3445 products
Default credentials are everywhere! However, it’s often not that easy to Google them so we might sometimes miss these bugs. To help us avoid that, ihebski aggregated data from different sources to create a cheat sheet with 3,445 (!) sets of default creds....
Learning GraphQL #5 – batching attacks
Last week, I saw some tools and articles about GraphQL batching attacks. I thought it’s a good idea to cover them in my sample application to see if, how and why they work. GraphQL batching attacks To my application, I added a simple code that draws a random 5-digit...
The mindset to Improve in Bug Bounty
Gunnar Andrews has a series of Mental hacking where he talks about the mindset in the context of bug bounty. So far, I only watched one episode but I really identify with what Gunnar says. For me, the most important quote from the video is Compare yourself to yourself...